Bug#642136: network-manager: Connecting to a wifi network requires system privileges

Wed, 05 Dec 2012 12:21:12 -0800 

tags 642136 + patch
thanks

I agree with Joey Hess: "Available to alle users" should not be the
default for new wifi connections, so that unprivileged users can
connect to new networks without needing a sudo or root password, or
additional policykit privileges.

The attached patch to the network-manager-applet (!) source modifies
nm-applet such that a new wifi connection created through the applet
belongs to the user, and not the system. If a wifi connection is to be
made available to all users, this has to be done in a separate step,
e.g. using nm-connection-editor.

I've tested this successfully with an open and a WPA2 secured network,
but I haven't had a chance to check if 802.1x networks have additional
settings that need to be set to "agent owned".

Florian

--- a/src/applet-device-wifi.c
+++ b/src/applet-device-wifi.c
@@ -393,6 +393,23 @@
 }
 
 static void
+mark_secret_agent_owned (NMSetting *setting,
+                          const char *key,
+                          const GValue *value,
+                          GParamFlags flags,
+                          gpointer user_data)
+{
+	NMSettingSecretFlags secret_flags = NM_SETTING_SECRET_FLAG_NONE;
+
+	if (!(flags & NM_SETTING_PARAM_SECRET))
+		return;
+
+	nm_setting_get_secret_flags (setting, key, &secret_flags, NULL);
+	secret_flags |= NM_SETTING_SECRET_FLAG_AGENT_OWNED;
+	nm_setting_set_secret_flags (setting, key, secret_flags, NULL);
+}
+
+static void
 _do_new_auto_connection (NMApplet *applet,
                          NMDevice *device,
                          NMAccessPoint *ap,
@@ -462,6 +479,21 @@
 		nm_connection_add_setting (connection, NM_SETTING (s_8021x));
 	}
 
+	/* Add user to the connection's permission list and mark all secrets as
+	 * owned by a user secret agent (as opposed to the system).
+	 * This enables unprivileged users to add and connect to new wifi networks (#642136).
+	 * As a consequence, new wifi connections created through nm-applet are no longer
+	 * system-wide by default. They are owned by the individual user, and have to be
+	 * expicitly made "available to all users", e.g. by using nm-connection-editor.
+	 */
+	if (!s_con) {
+		s_con = (NMSettingConnection *) nm_setting_connection_new ();
+		nm_connection_add_setting (connection, NM_SETTING (s_con));
+	}
+	g_object_set (G_OBJECT (s_con), NM_SETTING_CONNECTION_PERMISSIONS, NULL, NULL);
+	nm_setting_connection_add_permission (s_con, "user", g_get_user_name (), NULL);
+	nm_connection_for_each_setting_value (connection, mark_secret_agent_owned, NULL);
+
 	/* If it's an 802.1x connection, we need more information, so pop up the
 	 * Dialog Of Doom.
 	 */

Reply via email to